Pages

Search This Blog

Wednesday, November 30, 2011

The following describes claims encoding. Keep in mind that
the way a claim is created for each token issuer can be different based on the
primary identity claim that was used. It is generally recommended to review the
user profiles after adding them before activating the claim provider feature.

Examples:

i:0#.w|socialauth\

nitingupta

05.t|socialauth|nitingupta

Definitions:

i = Identity Claim all other claims will use “c” as opposed
to “i”

: = Colon

0 = Reserved to support future Claims

#/? = Claim Type Encoded Value. The default claim types will
have a hardcoded encoded value that will enable parity across farms.

Character 6 MUST be "w", "m", "r", "t", "s" or "c". This character represents the encoded original issuer. The list of provider types is specified in the following table:

Original issuer

Encoded character

Windows

"w"

ASP.Net Membership provider (Forms based authentication)

"m"

ASP.Net Role provider (Forms based authentication)

"r"

Trusted STS

"t"

Local STS

"s"

Claim provider

"c"

If the original issuer is not Windows or the local STS, the next character MUST be "|" (pipe), then the name of the original issuer MUST begin at this point. If the identity provider is Windows or local STS, there MUST NOT be any character.

If the identity provider is not Windows or local STS, the next character MUST be "|" (pipe). If the identity provider is Windows or local STS, there MUST NOT be any character.

If the claim is encoded, as described at the beginning of this section, then the casing for encoded claims MUST be lower case and invariant culture,

upper case MUST not be used.

Claim value, Provider type and original issuer are not case sensitive.

Characters %, :, ;, | MUST be HTML encoded.

The preceding encoded strings have the following restrictions:

Characters 1 through 5 are case-sensitive.

Claim value, provider type, and original issuer are not case-sensitive.

These restrictions apply only to the encoded claim string. Non-encoded claims are not case sensitive.

The total length of the claim value MUST NOT exceed 255 characters.

In the SAML token, the casing for the claim value of the claim type NameIdentifier MUST be lower and invariant culture. This claim MUST be on the header of the SAML token as specified by the [SAMLToken1.1] protocol document.

All tokens issued for SharePoint MUST contain ONE FarmId claim with the SharePoint farm identifier for which the token was issued.